Oauth2 SSO from external site -- what to do with the sesskey parameter?

Oauth2 SSO from external site -- what to do with the sesskey parameter?

by Jason Maur -
Number of replies: 1

Hi,

So I have set up an oauth2 Microsoft service and everything works fine; however, here is what I want to be able to do:

1) Log into MS (Office 365)

2) From within Office 365, click a link that logs me into Moodle automatically using oauth2

I got things to work as desired by linking to https://mysite.com/auth/oauth2/login.php?id=<oauth2_service_id>&wantsurl=http%3A%2F%2Fmysite.com%2Fmy%3F from Office 365, but I had to comment out the call to "require_sesskey()" in auth/oauth2/login.php so that it would work. Otherwise, I get an invalid / required sesskey error.

Looking at auth/oauth2/login.php file, it makes a call to sesskey() later on, which, after commenting out the call to require_sesskey(), will just create a new one and pass it as part of the return URL to the oauth2 provider.

So my questions are can I safely comment out that call to require_sesskey()? Are there any security concerns in doing so? Am I missing something?

Thanks, I hope it's clear!

Average of ratings: -
In reply to Jason Maur

Re: Oauth2 SSO from external site -- what to do with the sesskey parameter?

by Igor Agatti Lima -
Hi Jason,

I have a similar problem, maybe we could each other out. I set up oauth2 Drupal service and everything works like you said. But I want the user to use oauth2 as the default login.

To help with the sesskey problem this is what I did:
I created a simple plugin that creates a sesskey and redirects to oauth2 path, when the user is already logged in to Drupal it works fine, but when they have to login the session seems to have expired. This might solve for you.

require_once('../../config.php');

$pmurl = optional_param('wantsurl',"/", PARAM_TEXT);

$PAGE->set_url(new moodle_url('local/auto_oauth2/redirector.php'));

$PAGE->set_context(\context_system::instance());

$PAGE->set_title("Redirect");

redirect($CFG->wwwroot.'/auth/oauth2/login.php?id=2&wantsurl='.$pmurl.'&sesskey='.sesskey());

Yet I don't know if it is safe to remove the require_sesskey(), but with the solution above you wouldn't have to remove it.
Average of ratings: -